Skip to content

Document first iteration of Findings #10488

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
NicoletaComan wants to merge 1 commit into
base: development
Choose a base branch
from
Draft

Document first iteration of Findings #10488

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions content/en/docs/control-center/security/software-composition/components.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,7 @@ The finding list contains the following information:

* Deprecated components: The current date - The date when the component was deprecated
* Outdated components: The current date - The publish date of the first higher runtime compatible version
* Vulnerable components: The number of days since the date when the CVSS score was computed

* Column customization ({{% icon name="view" %}}) — You can customize the columns in the list by clicking the {{% icon name="view" %}} icon and selecting or deselecting options.

Expand Down
8 changes: 7 additions & 1 deletion content/en/docs/control-center/security/software-composition/scoring-criteria.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,16 @@ The settings on this tab determine how each such vulnerability is calculated for

The default values are strict, but you can adjust them to reflect the practice of your company.

## Finding Types
## Finding Types {#finding-types}

The types of findings that you can adjust for are **Outdated** and **Deprecated**.

### Vulnerable

A finding is generated when a component is published on the [Security Advisories](/releasenotes/security-advisories/) page, and is assigned a specific CVSS score. CVSS scores are based on the [NVD Vulnerability Metrics](https://nvd.nist.gov/vuln-metrics) framework, and cannot be orverriden.

You can choose the combination of CVSS range and severity for which you want a component to be marked as vulnerable.

### Outdated

A finding is generated when a component becomes outdated, meaning when a new runtime compatible version is published to the Mendix Marketplace.
Expand Down
37 changes: 37 additions & 0 deletions content/en/docs/deployment/general/software-composition.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,25 @@ The page is divided into two tabs: **Findings** and **Component Usage**. For det
* [Findings](/control-center/overview-tab/#overview-findings)
* [Component Usage](/control-center/overview-tab/#overviw-component-usage)

#### Finding and Component Details

If a finding is marked as **Vulnerable**, its corresponding component has a **View Details** button. Clicking it opens a window which includes two sections:

* **Finding Details** – This includes the following details:

* **Severity** – The severity of the finding, as computed on the [Scoring Criteria](/control-center/scoring-criteria-tab/) tab.
* **CVE-ID** – The unique ID which identifies the finding on the **Security Advisories** page.
* **CVSS Score** – The CVSS score, as computed based on the [NVD Vulnerability Metrics](https://nvd.nist.gov/vuln-metrics) framework.
* **Age** – The number of days since the date when the CVSS score was computed.
* **Created on** – The date when the component was created.
* **Description** – The reason why the component was marked as vulnerable.

* **Components Details** – This includes the following details:

* **Current Version** – The version of the component affected by this finding.
* **Type** – The type of the component affected by this finding.
* **Publisher** – The entity that published the component affected by this finding.

## Components {#all-components}

The **Components** tab gives an overview of all the unique components deployed in all the combined app environments.
Expand Down Expand Up @@ -203,6 +222,24 @@ The finding list contains the following information:

* Column customization ({{% icon name="view" %}}) — You can customize the columns in the list by clicking the {{% icon name="view" %}} icon and selecting or deselecting options.

##### Finding and Component Details

If a finding is marked as **Vulnerable**, its corresponding component has a **View Details** button. Clicking it opens a window which includes two sections:

* **Finding Details** – This includes the following details:

* **Severity** – The severity of the finding, as computed on the [Scoring Criteria](/control-center/scoring-criteria-tab/) tab.
* **CVE-ID** – The unique ID which identifies the finding on the **Security Advisories** page.
* **CVSS Score** – The CVSS score, as computed based on the [NVD Vulnerability Metrics](https://nvd.nist.gov/vuln-metrics) framework.
* **Age** – The number of days since the date when the CVSS score was computed.
* **Created on** – The date when the component was created.
* **Description** – The reason why the component was marked as vulnerable.

* **Components Details** – This includes the following details:

* **Current Version** – The version of the component affected by this finding.
* **Type** – The type of the component affected by this finding.

#### Component Usage {#component-component-usage}

The **Component Usage** tab displays a detailed view of all environments where the component is used.
Expand Down